<!DOCTYPE html>
<html>
  <head>
  <meta http-equiv="content-type" content="text/html; charset=utf-8">
  <meta content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" name="viewport">
  <meta name="description" content="刘清政">
  <meta name="keyword" content="hexo-theme">
  
    <link rel="shortcut icon" href="/css/images/logo.png">
  
  <title>
    
      linux/入门到精通/09-LinuxACL控制 | Justin-刘清政的博客
    
  </title>
  <link href="//cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet">
  <link href="//cdnjs.cloudflare.com/ajax/libs/nprogress/0.2.0/nprogress.min.css" rel="stylesheet">
  <link href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/tomorrow.min.css" rel="stylesheet">
  
<link rel="stylesheet" href="/css/style.css">

  
    
<link rel="stylesheet" href="/css/plugins/gitment.css">

  
  <script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
  <script src="//cdnjs.cloudflare.com/ajax/libs/geopattern/1.2.3/js/geopattern.min.js"></script>
  <script src="//cdnjs.cloudflare.com/ajax/libs/nprogress/0.2.0/nprogress.min.js"></script>
  
    
<script src="/js/qrious.js"></script>

  
  
    
<script src="/js/gitment.js"></script>

  
  

  
<meta name="generator" content="Hexo 4.2.0"></head>
<div class="wechat-share">
  <img src="/css/images/logo.png" />
</div>

  <body>
    <header class="header fixed-header">
  <div class="header-container">
    <a class="home-link" href="/">
      <div class="logo"></div>
      <span>Justin-刘清政的博客</span>
    </a>
    <ul class="right-list">
      
        <li class="list-item">
          
            <a href="/" class="item-link">主页</a>
          
        </li>
      
        <li class="list-item">
          
            <a href="/tags/" class="item-link">标签</a>
          
        </li>
      
        <li class="list-item">
          
            <a href="/archives/" class="item-link">归档</a>
          
        </li>
      
        <li class="list-item">
          
            <a href="/about/" class="item-link">关于我</a>
          
        </li>
      
    </ul>
    <div class="menu">
      <span class="icon-bar"></span>
      <span class="icon-bar"></span>
      <span class="icon-bar"></span>
    </div>
    <div class="menu-mask">
      <ul class="menu-list">
        
          <li class="menu-item">
            
              <a href="/" class="menu-link">主页</a>
            
          </li>
        
          <li class="menu-item">
            
              <a href="/tags/" class="menu-link">标签</a>
            
          </li>
        
          <li class="menu-item">
            
              <a href="/archives/" class="menu-link">归档</a>
            
          </li>
        
          <li class="menu-item">
            
              <a href="/about/" class="menu-link">关于我</a>
            
          </li>
        
      </ul>
    </div>
  </div>
</header>

    <div id="article-banner">
  <h2>linux/入门到精通/09-LinuxACL控制</h2>



  <p class="post-date">2020-07-06</p>
    <!-- 不蒜子统计 -->
    <span id="busuanzi_container_page_pv" style='display:none' class="">
        <i class="icon-smile icon"></i> 阅读数：<span id="busuanzi_value_page_pv"></span>次
    </span>
  <div class="arrow-down">
    <a href="javascript:;"></a>
  </div>
</div>
<main class="app-body flex-box">
  <!-- Article START -->
  <article class="post-article">
    <section class="markdown-content"><h2 id="1-ACL访问控制概述"><a href="#1-ACL访问控制概述" class="headerlink" title="1.ACL访问控制概述"></a>1.ACL访问控制概述</h2><p>上一章节我们学习了基础权限<code>UGO</code>、特殊权限，但所有的权限是针对某一类用户设置的, 如果希望对文件进行自定义权限控制，就需要用到文件的访问控制列表<code>ACL</code></p>
<blockquote>
<p> UGO设置基本权限: 只能一个用户，一个组和其他人<br> ACL设置基本权限： r、w、x<br> 设定<code>acl</code>只能是<code>root</code>管理员用户. 相关命令: <code>getfacl</code> , <code>setfacl</code></p>
</blockquote>
<p><code>acl</code>基本使用方式</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">//环境准备</span><br><span class="line">[root@lqz ~]<span class="comment"># cp /etc/passwd /root/passwd</span></span><br><span class="line">//文件在没有设定acl, 看到的和传统权限是一样</span><br><span class="line">[root@lqz ~]<span class="comment"># ll passwd</span></span><br><span class="line">-rw-r--r-- 1 root root 0 10-26 13:59 /home/test.txt</span><br><span class="line"></span><br><span class="line">//使用getacl查看权限</span><br><span class="line">[root@lqz ~]<span class="comment"># getfacl passwd </span></span><br><span class="line"><span class="comment"># file: passwd</span></span><br><span class="line"><span class="comment"># owner: root</span></span><br><span class="line"><span class="comment"># group: root</span></span><br><span class="line">user::rw-   //文件owner权限</span><br><span class="line">group::r--  //文件拥有组权限</span><br><span class="line">other::r--  //其他人权限</span><br></pre></td></tr></table></figure>

<h3 id="1-设定acl权限案例如下"><a href="#1-设定acl权限案例如下" class="headerlink" title="1.设定acl权限案例如下"></a>1.设定<code>acl</code>权限案例如下</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line">-rw-r--r-- 1 root root 1380 Feb 27 11:25 passwd</span><br><span class="line"></span><br><span class="line">alice 拥有读写权限    rw</span><br><span class="line">bgx  没有任何权限     -</span><br><span class="line">jack 组拥有读权限     r</span><br><span class="line">匿名用户拥有读写权限  rw</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">//建立相关用户</span><br><span class="line">[root@lqz ~]<span class="comment"># useradd alice</span></span><br><span class="line">[root@lqz ~]<span class="comment"># useradd bgx</span></span><br><span class="line">[root@lqz ~]<span class="comment"># useradd jack</span></span><br><span class="line"></span><br><span class="line">//增加用户 alice 权限</span><br><span class="line">[root@lqz ~]<span class="comment"># setfacl -m u:alice:rw passwd</span></span><br><span class="line"></span><br><span class="line">//增加用户 bgx 权限</span><br><span class="line">[root@lqz ~]<span class="comment"># setfacl -m u:bgx:- passwd</span></span><br><span class="line"></span><br><span class="line">//增加匿名用户权限</span><br><span class="line">[root@lqz ~]<span class="comment"># setfacl -m o::rw passwd</span></span><br><span class="line"></span><br><span class="line">//增加组权限</span><br><span class="line">[root@lqz ~]<span class="comment"># setfacl -m g:jack:r passwd</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">注意: 如果用户同时属于不同的两个组，并且两个组设定了acl访问控制</span><br><span class="line">    1.根据acl访问控制优先级进行匹配规则</span><br><span class="line">    2.如有用户拥有多个组的权限不同的权限，优先使用最高权限（模糊匹配）</span><br></pre></td></tr></table></figure>

<h3 id="2-查看acl权限"><a href="#2-查看acl权限" class="headerlink" title="2.查看acl权限"></a>2.查看<code>acl</code>权限</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">[root@lqz ~]<span class="comment"># ll passwd</span></span><br><span class="line">-rw-rw-rw-+ 1 root root 1531 Jan 26 07:52 passwd</span><br><span class="line"></span><br><span class="line">[root@lqz ~]<span class="comment"># getfacl passwd</span></span><br><span class="line"><span class="comment"># file: passwd</span></span><br><span class="line"><span class="comment"># owner: root</span></span><br><span class="line"><span class="comment"># group: root</span></span><br><span class="line">user::rw-</span><br><span class="line">user:bgx:---</span><br><span class="line">user:alice:rw-</span><br><span class="line">group::r--</span><br><span class="line">group:jack:r--</span><br><span class="line">mask::rw-</span><br><span class="line">other::rw-</span><br></pre></td></tr></table></figure>

<h3 id="3-移除acl权限"><a href="#3-移除acl权限" class="headerlink" title="3.移除acl权限"></a>3.移除<code>acl</code>权限</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">//移除jack组的acl权限</span><br><span class="line">[root@lqz ~]<span class="comment"># setfacl -x g:jack passwd</span></span><br><span class="line"></span><br><span class="line">//移除bgx用户的acl权限</span><br><span class="line">[root@lqz ~]<span class="comment"># setfacl -x u:bgx passwd</span></span><br><span class="line"></span><br><span class="line">//移除文件和目录所有acl权限</span><br><span class="line">[root@lqz ~]<span class="comment"># setfacl -b passwd</span></span><br><span class="line"></span><br><span class="line">//移除默认的acl</span><br><span class="line">[root@lqz ~]<span class="comment"># setfacl -k dir</span></span><br></pre></td></tr></table></figure>

<h3 id="4-查看acl帮助"><a href="#4-查看acl帮助" class="headerlink" title="4.查看acl帮助"></a>4.查看<code>acl</code>帮助</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">//EXAMPLES 示例文档</span><br><span class="line">[root@lqz ~]<span class="comment"># man setfacl</span></span><br><span class="line"></span><br><span class="line">//复制 file1 的 ACL 权限给 file2</span><br><span class="line">[root@lqz ~]<span class="comment"># setfacl -m u:alice:rw,u:bgx:r,g:jack:rw file1</span></span><br><span class="line">[root@lqz ~]<span class="comment"># getfacl file1 |setfacl --set-file=- file2</span></span><br></pre></td></tr></table></figure>

<h2 id="2-ACL高级特性MASK"><a href="#2-ACL高级特性MASK" class="headerlink" title="2.ACL高级特性MASK"></a>2.ACL高级特性MASK</h2><p><code>mask</code>用于临时降低用户或组的权限，但不包括文件的所有者和其他人。<br><code>mask</code>最主要的作用是用来决定用户的最高权限。</p>
<blockquote>
<p> <code>mask</code>默认不会对匿名用户降低权限，所以为了便于管理文件的访问控制，建议匿名用户的权限置为空</p>
</blockquote>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">//临时降低用户或组权限</span><br><span class="line">[root@lqz ~]<span class="comment"># setfacl -m mask::rw filename</span></span><br></pre></td></tr></table></figure>

<blockquote>
<p> 小结<br> 1.<code>mask</code>会影响哪些用户，除了所有者和其他人。<br> 2.<code>mask</code>权限决定了用户访问文件时的最高权限。(如何影响)<br> 3.<code>mask</code>用于临时降低用户访问文件的权限。(mask做什么)<br> 4.任何重新设置<code>acl</code>访问控制会清理<code>mask</code>所设定的权限。</p>
</blockquote>
<h2 id="3-ACL高级特性Default"><a href="#3-ACL高级特性Default" class="headerlink" title="3.ACL高级特性Default"></a>3.ACL高级特性Default</h2><p>default: 继承(默认)</p>
<p><code>alice</code>能够对<code>/opt</code>目录以及以后在<code>/opt</code>目录下新建的文件有读、写、执行权限</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">//赋予 alice 对/home 读写执行权限 </span><br><span class="line">[root@lqz ~]<span class="comment">## setfacl -R -m u:alice:rwX /opt</span></span><br><span class="line">//赋予 alice 对以后在/home 下新建的文件有读写执行权限(使 alice 的权限继承) </span><br><span class="line">[root@lqz ~]<span class="comment">## setfacl -m d:u:alice:rwX /opt</span></span><br><span class="line"></span><br><span class="line">//检查对应的权限</span><br><span class="line">[root@linux-node1 ~]<span class="comment"># getfacl /opt/</span></span><br><span class="line">getfacl: Removing leading <span class="string">'/'</span> from absolute path names</span><br><span class="line"><span class="comment"># file: opt/</span></span><br><span class="line"><span class="comment"># owner: root</span></span><br><span class="line"><span class="comment"># group: bgx</span></span><br><span class="line">user::rwx</span><br><span class="line">user:alice:rwx</span><br><span class="line">group::rwx</span><br><span class="line">mask::rwx</span><br><span class="line">other::rwx</span><br><span class="line">default:user::rwx</span><br><span class="line">default:user:alice:rwx</span><br><span class="line">default:group::rwx</span><br><span class="line">default:mask::rwx</span><br><span class="line">default:other::rwx</span><br></pre></td></tr></table></figure>

<h2 id="4-ACL访问控制实践案例"><a href="#4-ACL访问控制实践案例" class="headerlink" title="4.ACL访问控制实践案例"></a>4.ACL访问控制实践案例</h2><p>案例1: 将新建文件的属性修改<code>tom:admin</code>, 权限默认为644<br>要求: <code>tom</code>对该文件有所有的权限, <code>mary</code>可以读写该文件, <code>admin</code>组可以读写执行该文件, <code>jack</code>只读该文件, 其他人一律不能访问该文件</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br></pre></td><td class="code"><pre><span class="line">//实验前, 建立几个普通用户</span><br><span class="line">[root@lqz ~]<span class="comment"># useradd tom</span></span><br><span class="line">[root@lqz ~]<span class="comment"># useradd bean</span></span><br><span class="line">[root@lqz ~]<span class="comment"># useradd mary</span></span><br><span class="line">[root@lqz ~]<span class="comment"># useradd jack</span></span><br><span class="line">[root@lqz ~]<span class="comment"># useradd sutdent</span></span><br><span class="line">[root@lqz ~]<span class="comment"># groupadd admin</span></span><br><span class="line">[root@lqz ~]<span class="comment"># gpasswd -a mary admin</span></span><br><span class="line">[root@lqz ~]<span class="comment"># gpasswd -a bean admin</span></span><br><span class="line"></span><br><span class="line">//检查用户属性</span><br><span class="line">[root@linux-node1 ~]<span class="comment"># id tom</span></span><br><span class="line">uid=1004(tom) gid=1004(tom) groups=1004(tom)</span><br><span class="line">[root@linux-node1 ~]<span class="comment"># id mary</span></span><br><span class="line">uid=1006(mary) gid=1006(mary) groups=1006(mary),1007(admin)</span><br><span class="line">[root@linux-node1 ~]<span class="comment"># id bean</span></span><br><span class="line">uid=1005(bean) gid=1005(bean) groups=1005(bean),1007(admin)</span><br><span class="line">[root@linux-node1 ~]<span class="comment"># id jack</span></span><br><span class="line">uid=1002(jack) gid=1002(jack) groups=1002(jack)</span><br><span class="line">[root@linux-node1 ~]<span class="comment"># id sutdent</span></span><br><span class="line">uid=1007(sutdent) gid=1008(sutdent) groups=1008(sutdent)</span><br><span class="line"></span><br><span class="line">//准备相关文件</span><br><span class="line">[root@linux-node1 ~]<span class="comment"># cp /etc/passwd /root/</span></span><br><span class="line">[root@linux-node1 ~]<span class="comment"># chown tom:admin passwd</span></span><br><span class="line">[root@linux-node1 ~]<span class="comment"># chmod 644 passwd</span></span><br><span class="line"></span><br><span class="line">//检查设定前的acl列表</span><br><span class="line">[root@linux-node1 ~]<span class="comment"># getfacl passwd</span></span><br><span class="line"><span class="comment"># file: passwd</span></span><br><span class="line"><span class="comment"># owner: tom</span></span><br><span class="line"><span class="comment"># group: admin</span></span><br><span class="line">user::rw-</span><br><span class="line">group::r--</span><br><span class="line">other::r--</span><br><span class="line"></span><br><span class="line">//设定acl权限</span><br><span class="line">[root@linux-node1 ~]<span class="comment"># setfacl -m u::rwx,u:mary:rw,u:jack:r,g:admin:rwx,o::- passwd</span></span><br><span class="line"></span><br><span class="line">//检查acl权限</span><br><span class="line">[root@linux-node1 ~]<span class="comment"># getfacl passwd</span></span><br><span class="line"><span class="comment"># file: passwd</span></span><br><span class="line"><span class="comment"># owner: tom</span></span><br><span class="line"><span class="comment"># group: admin</span></span><br><span class="line">user::rwx</span><br><span class="line">user:jack:r--</span><br><span class="line">user:mary:rw-</span><br><span class="line">group::r--</span><br><span class="line">group:admin:rwx</span><br><span class="line">mask::rwx</span><br><span class="line">other::---</span><br></pre></td></tr></table></figure>

<blockquote>
<p> acl的控制规则是从上往下匹配<br> 1.<code>tom</code>由于是文件的拥有者，所以直接按照<code>user::rwx</code>指定的权限去操作<br> 2.<code>mary</code>用户从上往下寻找匹配规则，发现<code>user:mary:rw-</code>能够精确匹配<code>mary</code>用户，尽管<code>mary</code>属于<code>admin</code>组，同时<code>admin</code>组有<code>rwx</code>的权限，但是由于<code>mary</code>用户的规则在前面，所有优先生效。<br> 3.<code>bean</code>由于找不到精确匹配的规则，而<code>bean</code>是属于<code>admin</code>组，根据文件的定义，该文件是属于<code>admin</code>组，所以<code>bean</code>的权限是按照<code>group:admin:rwx</code>的权限去操作。<br> 4.<code>jack</code>用户从上往下寻找匹配规则，发现<code>user:jack:r--</code>能够精确匹配<code>jack</code>用户。<br> 5.<code>student</code>用户找不到精确匹配的<code>user</code>定义规则, 也找不到相关组的定义规则，最后属于<code>other</code>。</p>
</blockquote>
<p>案例2: <code>lab acl setup</code></p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">controller组成员有:student</span><br><span class="line">sodor组成员有:thomas,james</span><br><span class="line"></span><br><span class="line">目录: /shares/steamies</span><br><span class="line">文件: /shares/steamies/file</span><br><span class="line">脚本: /shares/steamies/test.sh</span><br><span class="line"></span><br><span class="line">controller属于该目录的所属组, 新建文件必须属于controller组</span><br><span class="line">sodor组的成员对该目录拥有rwx权限</span><br><span class="line">sodor组成员james对该目录及子目录(包括以后新建立的文件)没有任何权限</span><br></pre></td></tr></table></figure>

<p>实际操作</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre></td><td class="code"><pre><span class="line">//准备用户</span><br><span class="line">[root@linux-node1 ~]<span class="comment"># groupadd controller</span></span><br><span class="line">[root@linux-node1 ~]<span class="comment"># groupadd sodor</span></span><br><span class="line">[root@linux-node1 ~]<span class="comment"># useradd student -G controller</span></span><br><span class="line">[root@linux-node1 ~]<span class="comment"># useradd thomas -G sodor</span></span><br><span class="line">[root@linux-node1 ~]<span class="comment"># useradd james -G sodor</span></span><br><span class="line"></span><br><span class="line">//准备目录</span><br><span class="line">[root@linux-node1 ~]<span class="comment"># mkdir /shares/steamies -p</span></span><br><span class="line">[root@linux-node1 ~]<span class="comment"># echo "file" &gt;&gt; /shares/steamies/file</span></span><br><span class="line">[root@linux-node1 ~]<span class="comment"># echo "echo 123" &gt;&gt; /shares/steamies/test.sh</span></span><br><span class="line">[root@linux-node1 ~]<span class="comment"># chmod 755 /shares/steamies/test.sh</span></span><br><span class="line">[root@linux-node1 ~]<span class="comment"># chown -R  :controller /shares/steamies/</span></span><br><span class="line">[root@linux-node1 ~]<span class="comment"># chmod g+s /shares/steamies/</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">//设定权限(X表示,如果原本有执行权限就保留,如果没有则不添加)</span><br><span class="line">[root@linux-node1 ~]<span class="comment"># setfacl -R -m g:sodor:rwX,u:james:- /shares/steamies/</span></span><br><span class="line"></span><br><span class="line">//设定继承规则</span><br><span class="line">[root@linux-node1 ~]<span class="comment"># setfacl -R -m d:g:sodor:rwX,d:u:james:- /shares/steamies/</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">[root@linux-node1 steamies]<span class="comment"># getfacl /shares/steamies/</span></span><br><span class="line">getfacl: Removing leading <span class="string">'/'</span> from absolute path names</span><br><span class="line"><span class="comment"># file: shares/steamies/</span></span><br><span class="line"><span class="comment"># owner: root</span></span><br><span class="line"><span class="comment"># group: controller</span></span><br><span class="line"><span class="comment"># flags: -s-</span></span><br><span class="line">user::rwx</span><br><span class="line">user:james:---</span><br><span class="line">group::r-x</span><br><span class="line">group:sodor:rwx</span><br><span class="line">mask::rwx</span><br><span class="line">other::r-x</span><br><span class="line">default:user::rwx</span><br><span class="line">default:group::r-x</span><br><span class="line">default:group:sodor:rwx</span><br><span class="line">default:mask::rwx</span><br><span class="line">default:other::r-x</span><br></pre></td></tr></table></figure></section>
    <!-- Tags START -->
    
    <!-- Tags END -->
    <!-- NAV START -->
    
  <div class="nav-container">
    <!-- reverse left and right to put prev and next in a more logic postition -->
    
      <a class="nav-left" href="/linux/%E5%85%A5%E9%97%A8%E5%88%B0%E7%B2%BE%E9%80%9A/08-Linux%E7%89%B9%E6%AE%8A%E6%9D%83%E9%99%90/">
        <span class="nav-arrow">← </span>
        
          linux/入门到精通/08-Linux特殊权限
        
      </a>
    
    
      <a class="nav-right" href="/linux/%E5%85%A5%E9%97%A8%E5%88%B0%E7%B2%BE%E9%80%9A/10-Linux%E8%BE%93%E5%85%A5%E8%BE%93%E5%87%BA/">
        
          linux/入门到精通/10-Linux输入输出
        
        <span class="nav-arrow"> →</span>
      </a>
    
  </div>

    <!-- NAV END -->
    <!-- 打赏 START -->
    
      <div class="money-like">
        <div class="reward-btn">
          赏
          <span class="money-code">
            <span class="alipay-code">
              <div class="code-image"></div>
              <b>使用支付宝打赏</b>
            </span>
            <span class="wechat-code">
              <div class="code-image"></div>
              <b>使用微信打赏</b>
            </span>
          </span>
        </div>
        <p class="notice">点击上方按钮,请我喝杯咖啡！</p>
      </div>
    
    <!-- 打赏 END -->
    <!-- 二维码 START -->
    
      <div class="qrcode">
        <canvas id="share-qrcode"></canvas>
        <p class="notice">扫描二维码，分享此文章</p>
      </div>
    
    <!-- 二维码 END -->
    
      <!-- Gitment START -->
      <div id="comments"></div>
      <!-- Gitment END -->
    
  </article>
  <!-- Article END -->
  <!-- Catalog START -->
  
    <aside class="catalog-container">
  <div class="toc-main">
  <!-- 不蒜子统计 -->
    <strong class="toc-title">目录</strong>
    
      <ol class="toc-nav"><li class="toc-nav-item toc-nav-level-2"><a class="toc-nav-link" href="#1-ACL访问控制概述"><span class="toc-nav-text">1.ACL访问控制概述</span></a><ol class="toc-nav-child"><li class="toc-nav-item toc-nav-level-3"><a class="toc-nav-link" href="#1-设定acl权限案例如下"><span class="toc-nav-text">1.设定acl权限案例如下</span></a></li><li class="toc-nav-item toc-nav-level-3"><a class="toc-nav-link" href="#2-查看acl权限"><span class="toc-nav-text">2.查看acl权限</span></a></li><li class="toc-nav-item toc-nav-level-3"><a class="toc-nav-link" href="#3-移除acl权限"><span class="toc-nav-text">3.移除acl权限</span></a></li><li class="toc-nav-item toc-nav-level-3"><a class="toc-nav-link" href="#4-查看acl帮助"><span class="toc-nav-text">4.查看acl帮助</span></a></li></ol></li><li class="toc-nav-item toc-nav-level-2"><a class="toc-nav-link" href="#2-ACL高级特性MASK"><span class="toc-nav-text">2.ACL高级特性MASK</span></a></li><li class="toc-nav-item toc-nav-level-2"><a class="toc-nav-link" href="#3-ACL高级特性Default"><span class="toc-nav-text">3.ACL高级特性Default</span></a></li><li class="toc-nav-item toc-nav-level-2"><a class="toc-nav-link" href="#4-ACL访问控制实践案例"><span class="toc-nav-text">4.ACL访问控制实践案例</span></a></li></ol>
    
  </div>
</aside>
  
  <!-- Catalog END -->
</main>

<script>
  (function () {
    var url = 'http://www.liuqingzheng.top/linux/入门到精通/09-LinuxACL控制/';
    var banner = ''
    if (banner !== '' && banner !== 'undefined' && banner !== 'null') {
      $('#article-banner').css({
        'background-image': 'url(' + banner + ')'
      })
    } else {
      $('#article-banner').geopattern(url)
    }
    $('.header').removeClass('fixed-header')

    // error image
    $(".markdown-content img").on('error', function() {
      $(this).attr('src', 'http://file.muyutech.com/error-img.png')
      $(this).css({
        'cursor': 'default'
      })
    })

    // zoom image
    $(".markdown-content img").on('click', function() {
      var src = $(this).attr('src')
      if (src !== 'http://file.muyutech.com/error-img.png') {
        var imageW = $(this).width()
        var imageH = $(this).height()

        var zoom = ($(window).width() * 0.95 / imageW).toFixed(2)
        zoom = zoom < 1 ? 1 : zoom
        zoom = zoom > 2 ? 2 : zoom
        var transY = (($(window).height() - imageH) / 2).toFixed(2)

        $('body').append('<div class="image-view-wrap"><div class="image-view-inner"><img src="'+ src +'" /></div></div>')
        $('.image-view-wrap').addClass('wrap-active')
        $('.image-view-wrap img').css({
          'width': `${imageW}`,
          'transform': `translate3d(0, ${transY}px, 0) scale3d(${zoom}, ${zoom}, 1)`
        })
        $('html').css('overflow', 'hidden')

        $('.image-view-wrap').on('click', function() {
          $(this).remove()
          $('html').attr('style', '')
        })
      }
    })
  })();
</script>


  <script>
    var qr = new QRious({
      element: document.getElementById('share-qrcode'),
      value: document.location.href
    });
  </script>



  <script>
    var gitmentConfig = "liuqingzheng";
    if (gitmentConfig !== 'undefined') {
      var gitment = new Gitment({
        id: "linux/入门到精通/09-LinuxACL控制",
        owner: "liuqingzheng",
        repo: "FuckBlog",
        oauth: {
          client_id: "32a4076431cf39d0ecea",
          client_secret: "94484bd79b3346a949acb2fda3c8a76ce16990c6"
        },
        theme: {
          render(state, instance) {
            const container = document.createElement('div')
            container.lang = "en-US"
            container.className = 'gitment-container gitment-root-container'
            container.appendChild(instance.renderHeader(state, instance))
            container.appendChild(instance.renderEditor(state, instance))
            container.appendChild(instance.renderComments(state, instance))
            container.appendChild(instance.renderFooter(state, instance))
            return container;
          }
        }
      })
      gitment.render(document.getElementById('comments'))
    }
  </script>




    <div class="scroll-top">
  <span class="arrow-icon"></span>
</div>
    <footer class="app-footer">
<!-- 不蒜子统计 -->
<span id="busuanzi_container_site_pv">
     本站总访问量<span id="busuanzi_value_site_pv"></span>次
</span>
<span class="post-meta-divider">|</span>
<span id="busuanzi_container_site_uv" style='display:none'>
     本站访客数<span id="busuanzi_value_site_uv"></span>人
</span>
<script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>



  <p class="copyright">
    &copy; 2021 | Proudly powered by <a href="https://www.cnblogs.com/xiaoyuanqujing" target="_blank">小猿取经</a>
    <br>
    Theme by <a href="https://www.cnblogs.com/xiaoyuanqujing" target="_blank" rel="noopener">小猿取经</a>
  </p>
</footer>

<script>
  function async(u, c) {
    var d = document, t = 'script',
      o = d.createElement(t),
      s = d.getElementsByTagName(t)[0];
    o.src = u;
    if (c) { o.addEventListener('load', function (e) { c(null, e); }, false); }
    s.parentNode.insertBefore(o, s);
  }
</script>
<script>
  async("//cdnjs.cloudflare.com/ajax/libs/fastclick/1.0.6/fastclick.min.js", function(){
    FastClick.attach(document.body);
  })
</script>

<script>
  var hasLine = 'true';
  async("//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/highlight.min.js", function(){
    $('figure pre').each(function(i, block) {
      var figure = $(this).parents('figure');
      if (hasLine === 'false') {
        figure.find('.gutter').hide();
      }
      var lang = figure.attr('class').split(' ')[1] || 'code';
      var codeHtml = $(this).html();
      var codeTag = document.createElement('code');
      codeTag.className = lang;
      codeTag.innerHTML = codeHtml;
      $(this).attr('class', '').empty().html(codeTag);
      figure.attr('data-lang', lang.toUpperCase());
      hljs.highlightBlock(block);
    });
  })
</script>





<!-- Baidu Tongji -->

<script>
    var _baId = 'c5fd96eee1193585be191f318c3fa725';
    // Originial
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "//hm.baidu.com/hm.js?" + _baId;
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
</script>


<script src="/js/script.js"></script>


<script src="/js/search.js"></script>


<script src="/js/load.js"></script>



  <span class="local-search local-search-google local-search-plugin" style="right: 50px;top: 70px;;position:absolute;z-index:2;">
      <input type="search" placeholder="站内搜索" id="local-search-input" class="local-search-input-cls" style="">
      <div id="local-search-result" class="local-search-result-cls"></div>
  </span>


  </body>
</html>